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(54) TCP/IP NETWORK SYSTEM 

(57)Abstract: 

PROBLEM TO BE SOLVED: To improve security without 
revising a DHCP(dynamic host configuration protocol) 
and the hardware and the software of a terminal in a 
TCP/IP network system using a DHCP server. 
SOLUTION: The TCP/IP network system 10 is provided 
with hubs 1 2, 1 3 with a plurality of ports to which a 
terminal 1 6 is connected, a router 20 connected to the 
hubs 12, 13 and an external network 15, and a server 21 
that is connected to the router 20 to serve various 
services to the terminal 16. The server 21 is provided 
with a DHCP server 23, the hubs 1 2, 1 3 are switching 
hubs that can section the network logically or physically, 
and each information wall socket 1 1 is set so as to 
belong to the sectioned network by the information wall 
socket 1 1 and the router 20. 
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Japanese Patent Laid-Open Publication No. 2001-036561 
* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect 
the original precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 

[Claim(s)] 

[Claim 1]A hub provided with two or more ports where it is a network system using a 
TCP/IP protocol, and a terminal is connected, Equip a router connected to a network 
of this hub and the exterior, and a terminal which was connected to this router and 
connected on a network with a server which provides various services, and this server. 
Memorized two or more IP addresses, equip a terminal connected to a network with a 
DHCP server which assigns one in this IP address, and said hub. Network systems 
which are the switching hubs which can segment a network physically or logically, and 
are set up belong to a segmented network with which each port of a hub consists of 
this port and a router, such as a VLAN managing system. 

[Claim 2]A server is provided with an authentication server which attests a network 
user, and a router, The network system according to claim 1 set up transmit only a 
packet transmitted from a terminal which has the IP address approved by attestation 
of an authentication server to the exterior of a segmented network. 
[Claim 3]Combination with a MAC Address of a port where a terminal was connected 
characterized by comprising the following is memorized. When combination of an IP 
address of dispatch origin included in a packet transmitted from this terminal and a 
MAC Address of this port differs from memorized combination. The network system 
according to claim 1 or 2 which has a filtering function which prevents transmission to 
a router of this packet. 

An IP address by which a switching hub was approved by a network user's attestation. 
This IP address. 

[Claim 4]The network system comprising according to any one of claims 1 to 3: 
An IP address assigned to a terminal from a DHCP server is an effective private IP 
address only on a network system, and a router is this private IP address. 
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An NAT function which changes while making an effective global IP address 
correspond on an external network. 

[Claim 5]The network system according to any one of claims 1 to 4 set up so that a 
suitable IP address may be sent out towards a MAC Address of a demanded terminal, 
if a DHCP server is required [ assignment of an IP address ] from a terminal. 
[Claim 6]It is [ any of claim 1 thru/or claim 5 used as a layered structure 
characterized by comprising the following, or ] a network system of a statement to it 
being alike. 

A section hub to which a terminal is connected to a switching hub. 

A central hub to which two or more section hubs and routers are connected. 

[Detailed Description of the Invention] 

[0001] 

[Field of the Invention]This invention relates to the network system (a "TCP/IP 
network" is called hereafter.) using a TCP/IP (Transmission Control Protcol /Internet 
Protocol) protocol. Specifically, this invention relates to improvement in the security 
in this network system that used the DHCP server. 

[0002] 

[Description of the Prior Art]Many and unspecified human beings use recently 
terminals, such as a note type personal computer which each one owns, in educational 
facilities and research institutions, such as a university. It can connect with LAN 
(Local AreaNetwork) of premises from the information outlet installed in various 
places, such as a laboratory of premises, a bookroom, and a computer lab, and can 
connect now with external networks, such as the Internet, from this LAN. In such a 
network system, since various terminals are used, the TCP/IP protocol suitable for 
use of a multi vendor is used. In the case of the TCP/IP network, the IP address 
which is a numeric address of 4 bytes is set to the various devices (a "node" is called 
hereafter.) connected to the network. 

When sending information, transmission and reception of the information between 
nodes are performed by transmitting an information packet including the IP address of 
a sending agency, and the IP address of an address. 

[0003]Therefore, it is necessary to set an IP address also to the terminal connected 
to said LAN. However, it becomes useless [ IP address resources ] mostly from an 
impossible thing that it is necessary to set an individual IP address as ail the terminals 
which can be connected to LAN in this case and, and these all terminals are 
simultaneously connected to LAN. So, in such a network system, a suitable IP address 
is automatically assigned to the terminal connected to LAN using the DHCP (Dynamic 
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Host Configuration Protcol) protocol. 

[0004] Drawing 10 shows the outline of said LAN (90). Each information outlet (1 1) is 
connected to a hub (91), a hub (91) is connected to a router (92), and a router (92) is 
connected to an external network (15). The various servers (93) which provide various 
services for terminals, such as a computer connected to the information outlet (11), 
are connected to a hub (91). Two or more IP addresses are memorized in a server (93), 
and the DHCP server (94) which assigns one in this IP address to the terminal 
connected on the network is contained in it Between each device, it is connected by 
radio, such as cables, such as an optical cable and a lead cable, or electromagnetic 
waves. If a user connects a terminal to an information outlet (11) and sends the quota 
demand of an IP address on a network, the IP address assigned by the DHCP server 
(94) will be sent to a terminal. The user can exploit the resources on LAN (90), and the 
resources of an external network (1 5) using this IP address. 
[0005] 

[Problem(s) to be Solved by the Invention]Thus, if the IP address of the partner point 
can be known in the case of a TCP/IP network, information can be sent and received 
mutually. When a DHCP server sends the assigned IP address to a terminal, in order 
that it may use ARP broadcasting, other terminals on a network are ability ready for 
receiving about this IP address. Therefore, while the terminal can send and receive 
information as easily as other terminals in the case of the TCP/IP network using a 
DHCP protocol, other terminals are defenseless to connecting and attacking with bad 
faith. 

[0006]As mentioned above, when many and unspecified human beings can use an 
information outlet, it is important also from security to record who used which 
information outlet when, for this reason, the thing for which only the user who 
attested when connecting a terminal to an information outlet, specified the user, and 
was approved by attestation can use a network — it is desirable. However, the 
function for attesting a user is not included in a DHCP protocol. In order to solve this 
problem, the work which adds an authentication function to a DHCP protocol is 
advancing. However, since change of the hardware in a terminal and software is 
required in order to support the added function, a result which a user's burden 
increases and carries out is brought, and it is hard to say that it is feasible in this 
method immediately. 
[0007] 

[Objects of the InventionjThis application aims at providing the network system which 
realized improvement in security, without adding change to a DHCP protocol, and the 



hardware and software in a terminal in the TCP/IP network system which used the 

DHCP server. 

[0008] 

[Means for Solving the ProblemjA hub provided with two or more ports where this 
invention is a network system using a TCP/IP protocol, and a terminal is connected in 
order to solve an aforementioned problem, Equip a router connected to a network of 
this hub and the exterior, and a terminal which was connected to this router and 
connected on a network with a server which provides various services, and a server. 
Memorized two or more IP addresses, equip a terminal connected to a network with a 
DHCP server which assigns one in this IP address, and said hub, A VLAN managing 
system etc. are the switching hubs which can segment a network physically or 
logically, and each port of a hub is set up belong to a segmented network which 
consists of this port and a router. 

[0009]A server is provided with an authentication server which attests a network user, 
and a router is set up transmit only a packet transmitted from a terminal which has 
the IP address approved by attestation of an authentication server to the exterior of a 
segmented network. 
[0010] 

[Function and Effect]It is set up in the network system of the above-mentioned 
composition become a router and the network with which between each port of a hub 
was segmented independently using the switching hub which can segment a network 
physically or logically. Therefore, the terminals connected to the network will belong 
to the segmented separate network, and its security between these terminals 
improves. 

[001 1]When transmitting a packet to the exterior, i.e., the server, other terminals, or 
external network of the segmented network with which this terminal belongs from a 
certain terminal, it will certainly be carried out via a router. Therefore, by being set up 
so that a router may transmit only the packet transmitted from the terminal which has 
the IP address approved by attestation of the authentication server to the exterior of 
the segmented network. In order for a user to use a network, the necessity of 
receiving attestation arises and the security on a network improves. 
[0012] 

[Embodiment of the Invention]Hereafter, the embodiment of this invention is 
described. Drawing 1 shows the outline of the TCP/IP network system which is an 
embodiment of this invention. Many information outlets (11) to which a terminal is 
connected to this network system (10), It has an integrated server (14) which the 
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central hub (13) by which this section hub (12) and (12) is connected with two or more 
section hubs (12) to which this information outlet (1 1) is connected, and (12), and this 
central hub (13) are connected, and is connected to an external network (15). 
[0013]An integrated server (14) is provided with the router (20) connected to a 
central hub (13) and an external network (15), and various servers (21). The DHCP 
server (23) which assigns one in this IP address to the terminal (1 6) which memorized 
two or more IP addresses in the various servers (21) of this embodiment, and was 
connected to the information outlet (11), The cutting monitoring server (25) which 
supervises the connection between the authentication server (24) which attests a 
user, and the terminal (16) in each information outlet (11), or a cut state is contained. 
[0014]As mentioned above, when the terminal (16) newly connected to the 
information outlet (11) requires assignment of an IP address of a DHCP server (23), a 
DHCP server (23) sends out the suitable IP address which should be assigned by ARP 
broadcasting. In this case, this IP address may be monitored with other terminals (1 6). 
Therefore, as for a DHCP server (23), it is desirable to be set up send out towards the 
MAC Address which the demanded terminal (1 6) has. 

[001 5] Various methods, such as a method by a card and a method by the enciphered 
E-mail, exist in the authentication method by an authentication server (24). According 
to this embodiment, after a terminal (16) acquires an IP address, authentication tools 
are started, and attestation is performed via a network system (10). It is desirable to 
use the web browser with which the present terminal (16) is equipped as standard as 
these authentication tools, and it is desirable to attest by starting CGI (Common 
Gateway Interface) via this web browser. The ID code and password for specifying a 
user are usually memorized by the authentication server (24). When this ID code and 
the password are memorized by a certain server of the external network (15), carrying 
out a deer, If the authentication server (24) is set up refer for an ID code and a 
password using NIS (Network Information Service), it does not need to memorize an 
ID code and a password. An authentication server (24) besides said ID code and a 
password. It is desirable to memorize the access restriction information which shows 
access to which range is permitted to the user of this ID code among various servers 
(21), an external network (15), and other terminals (16). 

[001 6]A router (20) has IP filtering function to pass only the information which has the 
IP address assigned to the terminal (1 6) attested by the authentication server (24). 
The IP address assigned by a DHCP server (23) in this embodiment, Only on this 
network system (10), are an effective private IP address and a router (20), It has an 
NAT (Network AddressTranslation) function which changes while making this private 
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IP address and the effective global IP address on an external network correspond. The 

router (20) of this embodiment has memorized the combination of the IP address 

assigned to the terminal (1 6) and the MAC Address of this terminal (1 6). 

It has the function to refuse the communication which does not suit this combination. 

The various servers (23), (24), and (25) are publicly known servers. 

As for the router (20) which has IP filtering function and an NAT function, a publicly 

known thing is used. 

[0017]The central hub (13) is provided with the upper port (30) where a router (20) is 
connected, and many downstream ports (31) where the section hub (12) and (12) is 

connected. 

The section hub (12) and (12) is provided with many downstream ports (33) where the 
upper port (32) where a central hub (13) is connected, and an information outlet (11) 
are connected. 

Thus, as for a hub, when using many information outlets (11), it is desirable to become 
the layered structure provided with the central hub (13) and the section hub (12). In 
this invention, the switching hub which can set up a VLAN managing system is used 
for a central hub (13) and a section hub (12). In this case, the section hub (12) can set 
up a VLAN group to the downstream port (33) connected to each information outlet 

(11) , and it sets up all the set-up VLAN groups to the upper port (32) connected to a 
central hub (13). Similarly, the central hub (13) can set up all the VLAN groups set up 
by the section hub (12) to the downstream port (31) connected to each section hub 

(12) , and. It can be necessary to set up all the VLAN groups set up by all the section 
hubs (12) to the upper port (30) connected to a router (20). That is, it can be 
necessary to set two or more VLAN groups as a single port at the switching hub used 
for a central hub (13) and a section hub (12). The switching hub based on IEEE802.1Q, 
MultiVLAN, or ISCP by the proposal of Cisco as such a switching hub is mentioned. 
[001 8]The MAC Address of the downstream port (33) where the terminal (1 6) was 
connected to the section hub (12) via the information outlet (1 1) in this embodiment, 
The sending agency IP address included in the information packet which memorizes 
combination with the IP address assigned from the DHCP server (23) to this terminal 
(16), and is transmitted from a terminal (16), When combination with the MAC Address 
of a downstream port (33) which receives this packet differs from the memorized 
combination, it has a MAC filtering function which prevents transmission to the 
central hub (13) of this packet. 

[001 9] Operation of the integrated server (14) in the network system (10) of the 
above-mentioned composition is explained along with drawing 3 - drawing 7 . When a 
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DHCP demand is received from a terminal (1 6), as shown in drawing 3 , a router (20) 
transmits this DHCP demand to a DHCP server (23) (Step S10), and receives an IP 
address from a DHCP server (23) (Step S1 1). And it transmits to the MAC Address of 
a terminal (16) with a DHCP demand of this IP address (Step SI 2), and the processing 
about a DHCP demand is ended. 

[0020]When a terminal (16) starts authentication tools and an authentication demand 
is received from a terminal (16), as shown in drawing 4 . a router (20) transmits this 
authentication demand to an authentication server (24) (Step S20), and attestation by 
an authentication server (24) is performed (Step S21). The concrete method of this 
attestation is mentioned later. When attestation by an authentication server (24) is 
not successful, it returns to Step S21, and the following steps are performed when it 
succeeds (Step S22). By control from an authentication server (24), a router (20), The 
network of the exterior of VLAN to which this terminal (16) to this terminal (16) 
belongs, i.e., various servers, (21), other VLAN(s), or access to an external network 
(15) is permitted using the IP address of a terminal (16) in which it succeeded (Step 
S23). At this time, the accessible range can also be restricted based on said access 
restriction information memorized to the authentication server (24). And a router (20) 
transmits the authentication success page sent from the authentication server (24) to 
a terminal (Step S24), and ends the processing about an authentication demand. 
[0021]When a router (20) receives the information packet transmitted towards various 
servers (21), other terminals (16), or an external network (15) from a terminal (16), As 
shown in drawing 5 . the sending agency IP address by which a router (20) is contained 
in an information packet judges whether it is ending with attestation (Step S30), and 
when it is not ending with attestation, transmission of an information packet is 
prevented. In this case, a router (20) may cancel and reply this information packet, 
and may transmit it to an authentication server (24), or may cancel this information 
packet, and may notify it to an authentication server (24). 
[0022]Case [ attested ], a router (20) judges whether it is that to which this 
information packet makes an external network (15) an address from the destination IP 
addresses included in an information packet (Step S31). In transmission to a network 
system (10), it is judged whether the network system (10) is contained in the 
accessible range over the IP address of a sending agency (Step S32). Transmission of 
an information packet is prevented like [ when not contained ] the above-mentioned, 
and when contained, this information packet is transmitted to destination IP 
addresses (Step S33). In transmission to an external network (1 5), Memorize the IP 
address of the external network (15) used as the IP address of the terminal (16) which 
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becomes a sending agency, and an address, and. With an NAT function, a sending 
agency IP address is changed into the global IP address which a router (20) has, said 
information packet is transmitted to an external network (Step S34), and transmission 
processing of an information packet is ended. 

[0023]When an information packet is received from an external network (15), As 
shown in drawing 6 , a router (20) refers to the IP address of the terminal (1 6) 
memorized at Step S34 of drawing 5 , and an external network (15), The private IP 

address of the terminal which transmitted to the sending agency IP address of the 
external network (15) included in this information packet is searched (Step S40). When 
an applicable private IP address is not found, (Step S41), When the private IP address 
which cancels said information packet, or replies to a sending agency and corresponds 
is found, said information packet is transmitted to the found IP address (Step S42), 
and transmission processing of the information packet from an external network (1 5) 
is ended. 

[0024]When a cutting monitoring server (25) detects cutting of a terminal (16), As 
shown in drawing 7 . with the directions from a cutting monitoring server (25) a DHCP 
server (23), Release the IP address which this terminal (1 6) used, and a router (20), 
Set up so that it may become impossible using this IP address (Step S50) a section 
hub (12) is set up stop MAC filtering of the port which this terminal (16) used (Step 
S51), and ends the cut treating of a terminal. 

[0025]Next, the flow of the operation in a terminal (16) is explained along with drawing 
8_- drawing 9 . First, a terminal (16) is connected to an information outlet (11) (Step 

580) , and a DHCP demand is transmitted so that an IP address may be assigned (Step 

581) . At this time, this DHCP demand is transmitted to a DHCP server (23) via a 
router (20). An IP address is assigned to a terminal (1 6) when a DHCP server (23) 
transmits a suitable IP address to this terminal via a router (20) (Step S82). 
[0026]Next, authentication tools are started and an authentication demand is 
transmitted (Step S83). At this time, this authentication demand is transmitted to an 
authentication server (24) via a router (20). When an authentication server (24) 
transmits an authentication page to this terminal (1 6) via a router (20), an 
authentication page is displayed on the screeri of a terminal (1 6) (Step S84). Next, 
from a terminal (16), a user enters an ID code and a password and transmits (Step 
S85). At this time, this ID code and a password are transmitted to an authentication 
server (24) via a router (20), and attestation is performed. When attestation goes 
wrong, it returns to Step S84 by transmitting an authentication page to a terminal via 
a router (20) again. When it succeeds in attestation, an authentication server (24), By 
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transmitting the page of an authentication success to a terminal (1 6) via a router (20), 
the page of an authentication success is displayed on the screen of a terminal (1 6) 
(Step S86), and use of the network system (10) from an information outlet (11) is 
started (Step S87). 

[0027]And a user cuts a terminal from an information outlet (11) (Step S88), and ends 
use of a network system (10). At this time, a cutting monitoring server (25) detects 
this cutting (Step S89), and a DHCP server (23) releases the IP address of this 
terminal (1 6) with the directions from a cutting monitoring server (25) (Step 890). 
[0028]Therefore, using the switching hub which can set up a VLAN managing system, 
as shown in drawing 2 , the network system (10) of this embodiment is set up so that 
each terminal (16) may belong to the VLAN group (40) who consists of this terminal 
(1 6) and a router (20). Therefore, since the terminal (16) on a network system (10) and 
(1 6) will belong to the separate VLAN group (40) and (40), their security between this 
terminal (1 6) and (1 6) improves. 

[0029]When transmitting a packet to the exterior of VLAN (40) which carries out this 
terminal (1 6) affiliation from a certain terminal (1 6), it is certainly carried out via a 
router (20). Therefore, by being set up so that a router (20) may transmit only the 
packet transmitted from the terminal (16) which has the IP address approved by 
attestation of the authentication server (24) to the exterior of VLAN (40), Since the 
necessity of receiving attestation arises in order for a user to use a network, the 
security on a network improves. 

[0030]A router (20) memorizes the combination of the IP address in a terminal (16), 
and a MAC Address, Since it has the function to refuse the communication which 
does not suit this combination and the section hub (12) has the above-mentioned 
MAC filtering function, what is called "spoofing" for which other terminals (1 6) use the 
IP address assigned to a certain terminal (16) can be prevented. Since a router (20) 
has an NAT function, from on an external network (1 5), it can be router [ which has a 
global IP address ] (20) Accepted and referred to, and cannot carry out the direct 
reference of the terminal (16). Therefore, the attack to a terminal (16) from an 
external network (1 5) can be prevented. Since a DHCP server (23) sends the IP 
address assigned to the DHCP demand to the MAC Address of a terminal (16) which 
performed not ARP broadcasting but the DHCP demand, it can prevent interception of 
the IP address by other terminals (16). 

[0031]Explanation of the above-mentioned embodiment is for explaining this invention, 
and it should not be understood so that the invention of a statement may be limited to 
a claim or the range may be reduced. As for each part composition of this invention, it 
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is needless to say for various modification to be possible in a technical scope given 
not only in the above-mentioned embodiment but a claim. For example, the radio hub 
which can be segmented as a switching hub which can segment a network physically 
or logically with the channel of radio other than the switching hub which can set up a 
VLAN managing system can also be used. 
[Brief Description of the Drawings] 

[Drawing 1] It is a schematic diagram showing the network system which is an 

embodiment of this invention. 

[Drawing 2] It is a schematic diagram showing the logical connection in the network 

system of this embodiment. 

[Drawing 3] It is a flow chart which shows the processing operation to a DHCP demand 
in the integrated server of this embodiment. 

[Drawing 4] It is a flow chart which shows the processing operation to an 

authentication demand in the integrated server of this embodiment. 

[Drawing 5]I t is a flow chart which shows the processing operation to transmission of 

an information packet in the integrated server of this embodiment 

[Drawing 6] It is a flow chart which shows the processing operation to the reply of the 

information packet from an external network in the integrated server of this 

embodiment. 

[Drawing 7] It is a flow chart which shows the processing operation to cutting of a 
terminal in the integrated server of this embodiment. 

[Drawing 8] It is a flow chart which shows operation of the terminal in this embodiment. 
[Drawing 9] It is a flow chart which shows a continuation of drawing 8 . 
[Drawing 10] It is a block diagram showing the conventional network system. 
[Description of Notations] 

(10) TCP/IP network system 

(11) Information outlet 

(12) Section hub 

(13) Central hub 

(15) External network 

(16) Terminal 
(20) Router 

(23) DHCP server 

(24) Authentication server 

(25) Cutting monitoring server 
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(33) The downstream port of a section hub 
(40) VLAN group 

[Translation done.] 
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;&^"D-A;H P7FbXt«t{S?-&^*^P.^S-rS 

N A TStg^t1-§. If 1 nmmm 3 ©MtlA^c: 
IEffi©T^-y F7-i7vX-rAo 

DHCP-9— ^^ti. iffiS^iA^?, I P7F 

ux«tj=i3TA'^S5j<?n§t. ^MLtztrnmomkc 

7FbX(<:iR]ttTia&l P7FbX^Jitiit5J;9t 
•y F7-i'S^XrAo 

[11*116] T.-fy^y'if^^yii. mm'^mtn 
mmmm 5 (oimMaamo^^^y f 7-^ vxxi.o 

[0 0 0 1] 

[5§0^<Dlti.f«^if] *fgB^ii. TCP/IP (Tr 
ansmission Control Protcol / Internet. Protocol) ^ 
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^^3;^^^|JfflL/c^--y F7-^i^XrA (OT. Tt 
CP/I P^^'y F7-i'J tft-r§o ) (cM-rSfeOT 
fe^o mimui. *1HM. DHCP•^j--/^;&fflv^/c 
iS^--y F7-^>'XrAt*5tt§-tr+aUx^O|pI±t 

[0002] 

lis T-^mm(oxfsti\ ^mmt^y-hm^^~ 
10 mm. ^y^:L-^mm^mmmm^n 

rcW^uy^yVfj'^mP^OlAN (Local Area Ne two 
rk) tmilTt. liL ANA^P.'f>i?-^7 Fl^C^SP 
^-7 F7-^7tJg|tT-t§cj;-5t/S:oTl^§o 
^^^-y F7-^~>XrAT1J:. 
^Utt-'b. v;l/f-ty^?~©ilffltaL/cTCP/I P 
:/nF3;l/*^ffiffljnTl^§o TCP/I P#-7 F7- 
*7F7-^'{cgM2nfc#axMVX (W 
T. r/-Fj tm^. ) t{±. 4/UF©l![ffl7F 

bxT-fesi P7FbX!b^^ssnT43i3. mm^ 

20 l^fc I P 7 F bX t^ftO I P 7 F UX;& 
#ty»^'>--yF*^Sl^n5;:i:tj;^). y-Ff^© 

[0 0 0 3] ItfoT. Ml3LANtaiE?n?.4iii*1it 
I P7FbX*^St§£^S*^$§o LA^b^*^'?). 
il©±l^. L A Ntglbf#§^TOii*«fCf@giJ© I 

P7F^x^lS£t^i^:^g*^$D. tr^ mi>^^^m(D^ 

tti'^. I P7Fl-X«2g©Mat^§o ^^T\ 
<fc5*:7-'y F7-^i/XTA-eii. DHCPCDynamic H 
30 ost Configuration Protcol) F3;l/;&fijffi bT. 

L Amcmm^nmmicHb. mm i P7 Fbx 

[0 0 0 4] EllOtt. mil A Nm<DmS^^^bX 
v^5o §tllg3y-tr>Fai)a/N7'(9i)tg^*ns a 
^(9i)(±;l/-^(92)tgl?n. ;I/-^(92)tt. ?^g|?^^ 
7 F7-^(15)K^^?n§c Sfc. /N^ODttt. 'i 
Snviry F (iDtfgJ^Snfcnyif a-^^(D4SS« 

§0 ^t-A(93)ta. St© I P7FbX^Rt.b, 
40 7 F 7-^±tJi^$n/cC*S{C. 1^ I p 7 F bX* 
©10^jlJl3ST^DHCP^j— ^^(94)A^'tin§c # 

^tlS3>-fe>F(ll)tgi!bT. IP7FbX©fJia 
TS5l<^^^7 F7-^±tJI§t. DHC PHt-/SX94) 
t J: o TfJ f) a T P, n/c I P 7 F bXjb^aSSfcJM 6 n 
iSl P7FUX*ffll/^T. LAN(90)± 
©«2iV. ^m-y F7-^(15)©«i®^*iJfflT-t§o 
[000 5] 

50 [fl^*'^ab<tai:-r§SM] ilCctat. TCP/ 
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I P^-y h7-^<D±i^. m^9i(D I P7 FbX^^PS 
C tti^V^ tlli. Sl^t'lflg^i^Sft^o Mc. DH 

^ttt. ARP7"a-F4^+Xh^fiJffl-r5fci6. ^^-y 

T'fe^o 'Ijt-^r. DHCP/nha;l/;&?iMLfcTCP 

/I p^^7F7-^©ii^. mmmmm 
BicmrM^r t § sffi. mizmmm^ t o t 

[0 0 0 6] tfc, M3iOJ;3t. ^ffS^tOAPJA^ 10 

#gL. IPit j;f)IM^n/cfiJffl#©**^^^7 F7- 
^^fiJfflTtSCtattV^ b*^t=S:*^5. DHCP 

TV^^l\ i:©F^Sjfi^)S9l-r5fc&^ DHCP/DF 
[0 0 0 7] 

[^aj!©@fl^] DHCP^t-^^^ffll/^/iTCP 
/I P:t-7 F7-^>'Xf-Atfel^T. DHCP7°nF 

L/C F7-^~>;^-ri=.*a«t§ili:*@Wfct 

30 

[0 008] 

mmii. T C P / 1 P F Jffl Lfc* 7 

F7-i'i'XTi.T'$or, mmmm^nmum 

-/^tm^r^'o. ^-jm. mmi P7Fb:^^ 
lEtL. ^-v h^-^icwm-^nmrnic. mi p7 

F UXrpcD 1 -o^m D ST?) D H C P-9--/^;S:Mk.T*5 40 
m7<D§4-°-F*\ i^^-'-FfcyV-^A^S^r^E^^ 

[0 0 0 9] ffc. +}-- /^(±. ^-vvv-mm^m. 

-^^«iEfcj;f)|Scrj^n/c I F7 FbX^^lt^iffi* 

7-^o^g|itjMfit§<fcat^^$n§cfe*#ii[t 50 
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[0 0 10] 

7.4-j^y9i^-fmmhx. F 

$n§c tiieoT. #^-y F7-^titii?nfcis*aHa 
[0 0 11] sfc. §)c§saii*^6. iS«»jTi-r 

n/i I p 7 F^x^ti-siii*»?>iMfl^n5A^-y 

FOi?^^^. K^MbSnfc^^-y F7-^03'1-gP}ciMfit^ 
[00 12] 

mmt^o m 1 a. *fgii©iiaiMi-e$.5 t c p/ 1 

P^-7 F7-^'>'7,T^©ag'^SLTi/^5o i^^-'y F 

7-^->xrA(io)tt. s*ii*^~}t^^n§^a<Dif$s 

n>4zy F (11) fc. iSttSnyiry F (ii)*^'g^i^n§ 

^iS ©gPFlM 7 ( 1 2) ( 1 2) t . i^gPflM 7" (1 2) ( 1 2) 

^ti5*^/N7Xi3)t. m^^^^7\i3)mwi^ti. 9\- 

gP?^ 7 F 7- ^ (1 5) t g|^?n5|j£^-ttw^ (14) 

[0 0 13] m^-^-^^il4)li. it«^M7'(13)fcJ;W 
gp;^.^ F7-i'(i5)tgi'i$n§;l'-^f(20)i^. 

tiStOI P7F^X^fS1iU Ifffiny-b^FdDtg 
^$nfciili*a(16)t. P7VVX<Dtp(Dl'0^m 
^)aT5DHCP■9-w^(23)t. fOffltOEIE^ff^^ 
l!liE^-/^(24) §1fffi:3y-by F (ll)tc*5tt§4i* 

1(16) t mmtrdmmummt^mmm^- 

/^(25)A^#Sn§o 

[0 0 14] MiEWct^t, ^ilS^y-fe>F(ll)^c|^/c 
}cl^t^n/ciS*1i(16)*\ UHC F-9— /N(23)(cl P 
7 Fb7.cDfflST^Ssl<Lfcti^. DH C P^t-/^(23) 
tt. fflDaTS-^tl^^:! P7FbX%ARP7n- 

7.;&ffl©i^*a(i6){cj;?)^SSn§Bltgtt*^feSo 

^ T. D H c p •9--/^(23) mMLTzri^mmtm 
■r §M A c 7 F uxicmfrmiiit^^ 5 icmm-^n^ 

[0 0 15] igiE-fj--A(24)ti§|SII^?£ta^ A- 
F tc ct i. Hi^ft: $ nyc«? / - ;Wc J; ^rij 
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ehyy^^'^ftLX. CGI (Common Gateway Interfac 

ii-9--/<;(24)t{i. mmi. mmmzt^rM i 

;1I Dn-Kfc'j;t;;U7-FWg|3^^7 F7 
-^(15)©s!c§-9--AlciB1t?nTl^§l^t{i. HIE 

■9--^^(24)tt. N I S (Network Information Service) 
WFJ LT I D 3- F*5 j;yvu7- F^BB^t-§<}; 9 
t^£?nTV^ntl I Dn-F*3c};yVU7-F*E 

mt^'mmh\ s/c. lpiE■^t-/^x24)a. ffliHiD 

n-F*5j;tfVU7-F©f1l!t. mi Da-F©|ijjl:g 
tc. ^^(21). ^m7F7-^(15)feJ;mfi© 

^/T^-r7^-b;^sijiiifii*iEiiLT*5< ii tA^as l 

[0 0 16] ;l/-^(20)ti. illE-t}--^'5(24)tJ;?)|g|E 

^nrnmrnmrn'o'^r^nrc i ptfux^^i-t 

5o S/c. DHCP-tt-/^(23)tctD 
WDiTSnS I PTFbXa. i:<D#^'y F7-^7^>x 
•rA(10)±T:-©^*a:5:7°^l'-<-F I P7FbXT-$. 

'^^ ;b-^5?(20)a. iT'v'i'-^-h I PTFUxi:. n 
m-yh'y-^^xmjjr^^n-Ajl I P7 FbX^M 
jS^4±&A^~?)g^^t§ NAT (Network AddressTranslat 

{i. S*«(16)tC|iJi3aT?)tlfcI P7FPXt. 
*«(16) (DM A C 7 F t ©ftl^-ar^FStl LTfe . 

§0 ^a+)--A(23)(24)(25){i. l^Jn©-9— /^T' 

SO. I p 7^ u y^mt N A T«tg;&^f ts^i/ 

- ^ (20) t l^SlO t ©A^ffiffl ^ n§o 
[0 017] **^N7"(13)a. ;l/-^(20)A^"S^?n§ 

±??L#- h (30) mv^7'(\2) imtmm^n^^ 

Sf©mt°-h(3l)^M^Tfcf). gPP5M7Xl2)(12) 

(i:. 't'*^N7(i3)mii$n§±rjftt°- h 01) mm 

y^yv iu)tmmtii^^mT(kf^- V (33) %M 
^Ti^§o c©i;^(c. MMfi3y-byF(ii);&?iJ 
JlJtS^i^tt. ^N7"ti. f^*/^y(l3)^o<^;WJ/^7(l 
2)*M^/cPll^3gi:^§c: tA^Sf Ll\ *%B^T' 
**M7(l3);fo'J:t>*m/N/a2)t{i. VLANW 

^otf^. giin/N7(i2)a. mmytyvimzm 

^*n§mt°- h (33)t>rtLT. V L A N^*;l/-7^ 
S^T- 1 § t ±t t . c|5*; N 7" (1 3) tgll ? tx § ±ifLt°- 
F (32)ic?^ LT. lS£$n/c V LAN ^Vl'-ZO^T^ 



(4) 2 0 0 1 - 3 6 5 6 1 

6 

P]/N7(12)tjiii^n§mt°- h (31)tJ^ LT. gWI 
/N7(12)tcTig£?n/cVLAN^Vb-7°<D^T*K£ 

X'^^tnz-. ^i/-^? (20) icgii$n5±^t°- F (30) 

tMLT. ^T<DgPn/N7(12)tTlS$n/cV LAN 

*A7(i3)fec!;tfOT^N7(i2){cffiffl?n§Xi'7^>' 
^'7^7^c{±. ^-©4-°- F t^tlS© V LAN i^";l/-7^ 

LTti. IEEE802.1Q. MuItiVLAN. SfctiCiscottOJi* 
10 {cj;;SISCPtWLfcXi'7^>'^^VN7~A^-^if6nSo 

[0 0 18] if%iMmx\i.. »N7'(i2)tt. mm. 

(i6)*Hitii:3>-t> h (ll)^/^LTSI!^t^/cT»^^J}^- 
h (33) ©M A C 7 F t . ^iB*S(16) t^^f D H 
C P ^-^ ^ (23) 610 D a T P> tl/c I P 7 F i: ©ffi 
^^^laiiLTfct. Sil*«(16)*^6iMfl?n§»^ 
'>-7F04'{c#Stl§fgfg7tI P7FbXt. i^/^'!r'y 
F ;&§fit ST^SiK- F (33)©M A C 7 F t ©ffl^ 

*5^A7(13)'\©3Ml^PSlt-r§M A C 7^;V^' U y^^ 
20 il^^^fgbTl/>§o 

[0 0 19] ±IH«fig©*7 Vl~^'y7.Thm\^^ 

^t^S^^"^j--/^(14)©IM'F^El 3 ~il 7 iCf^-DXmmt 
5o 4iM(16)*^6DHCPS^l<*SftlXo/cJi^t 
(i, 03t^-rj;5t. ;i/-^(20)a. I^DHCPSsR 
^DHCP^t-/^(23)t|EJMb (XT7 7S10) . DH 
CP-it-/^(23)A^?> I ?7YVX-^mm^ {T.^v'f 
Sll) o ^LT. ^I P7FbX^DHCPSsl<Ofe-:3 
fcSffi*«(16)0DM A C 7 F bXtlSJSLT (Xt7 7S 
12). DHCPSJj<tl-r5ffl«l7-r§c 

30 [0 0 2 0] mm.mfmm:v~)\^^m^\.x. m. 

J; at. ;l/-^(20){i. ^^IEl*^l»-/^(24)t 
(XT7 7S20) . miE-y— /^(24)tJ::S^.iEA^ 

ff^fcns (XT7 7S21) 0 wMmwmmsm-^ 

oi^Ttitta-r^o l!ii+)--/^X24) t ct §feiE*^^ii] L 

ta. OT©Xr77*llt7t§ (Xr77S22) o lg 
fI-9--^^(24)A^c>©$iJfPicj;i3. ;l/-^(20)(i:. iSiAL 
f«li(16)0DI P7FUX^ffll.>T. ^mi(16)A^ 
40 5.. K4ifi5R»(16)©f?rlt§ V L A NO^gP©^s7 F 7 
t*fe^. ^«^t-/^(21). lOVLANSfcfi 
^1115^^7 F7-^(15)'\©7^-bX^HW^ (Xr7 
7S23) o i:©fct. lI|E-9-^';(24)tfE1SLfcMia7 

t^cfctTtSo -^LT. ;l/-^(20)a. HIE-tf--'^ 
(24) p.)! 6 n/cHlE/Sii)-?— >"*4i*lit ISJS L T 

(XT7 7S24) . wmmxmtmwtmt^o 
[0 0 2 1] mm.mt-^. '^\m->^m'). mm 
*«(i6). ^r'j,t')^u%vYv-'7{\i)\zmv-m^ 

50 MzWi'^^TV F^;I/-^(20)A^^ttSJ^/cti#{C{±. 
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nminii I ?7 ]^iy^mMm-^-h^t'^t'mm 

b (Xx-y:/S30) . IgH?^^^T{i*i.^ii^tti. tffi 

(24)tcajnLTfej;i>o 

[0 0 2 2] llErl^tOl^fCtis ;b-:5f(20)a. 'i$g 

7 h7-^(15)*fE7tfc-r5t<D*^t'5A^ 10 

^Wift5 (Xt7:/S31) 0 ^-yhU—^iyTsTLO 

tlTl/^?.A^§*^^fiJ»Tt§ (Xr7 7°S32) o 

l/X'NfeJII-rS UT>y:^S33) o ^SP*'yF7-^(l 
5)'\©5Mfi©«^t(i, fSt7tt*5S*li(l6)OI P 
7KPXi:^5tt&5^g|5*>y h7-^(15)<DI P7F 
lyT^mim^Hmc, NATlitgt<tt), %€7cIP 20 
7¥U7.^. ;l/-^(20)*^^-r§^*n-^'i;H P7Fb 

[0 0 2 3] ^gP*7 F7-^(15)*^e>»^';r7 
SltlXo/cti-^tii:. E16t^^t<i:5^i:. ;l/-^(20) 
(i. H 5 ©Xr 77°S 34tTlEML/c4ffi*ji(I6)$5j;tf 

nm-'-y h 7-^^ (15)03 1 p 7 F bx%#BSL. mm^ 

1 3M1 L fc«S*SlO -i' F I P 7 F 30 
mmt^ (Xr7yS40) 0 ^SI-^T'^^'^-F I 
P 7 F lx7.>b^Mofr /cJf^t (7.r 7/54 

1) . tmm^^'r-j Ymmt^t\ trcmmic 

m{iU m'^t^Zfy-^^-h I P7F^XAHlo*^o 
fc^^ta. Mo>b>o/cI P7Fl/XtMIE1fSA':r7 
VmiMLX (X7-yfSi2) . :HgP^^7F7-^(15) 

[0 0 2 4] ^2IiTSM+^-A(25)«*1i(16)^Dti]i^;& 

L tdi^ic It. mm^^~' ^ (25)*^ e oDji/Tst <fc 

07t^^tJ;at, DHCP-t^-A(23)tt. IIS* 40 
1i(16)/!3^'fMLTI/^/c:I P7FbX^»]KU ;l/-^(2 
0)tt. iil P7FU7.!bWIMt:S:§J;5{C^^n 
Ux77'S50) . OT/N7(l2){i. i^ffi*il(16)jb^fij 
ffl LTl/^fct"- FOM A C 71' U y^^'*Ej3±-rS j: 
atlSffi^tiT (Xr7 7S5l) . iiSSOWM!* 

[0 0 2 5] is*ii(i6)t*3(t§»5?5?tn*ia 

>-byF(n)(cSlcLT (Xr77°S80) . I P7Fb 
X;&fflt)aT§j;a(CDHCPS*^JMtt§ (Xt7 50 



7S81) 0 ilOtt. iiDHCPSjRtt. )l-^m^ 
/>tTDHCP-9-w^(23)tjM{i^n§o DHCP-9— 
/^(23)(i. aSftI P7FUX^;l/-^(20)^^LTM 

mmicmint^ctic^^. s*s(i6)t i p7f^ 

XA^fJDSTBtl^ (7.T 7^582) o 
[0 0 2 6] igiE7-;l/^EilLT^iESiR«3i 
ffi-r?. Ur7yS83) o i:©tt. ^ElEim 
-^(20)*/]-LTlIIE+i— /^(24){CjiMSn§„ 
-/^(24){i, (20)%^LTliffi*ffi 

-iy-hmmi^^ (Xr77°S84) o '-klc. fOfflta, 
iifli*«(l6)A^e. I Da-F*3j:tf/U7-F^A*LT 
iMfit?) (Xr77°S85) o iSlDa-F$5 
J;yV^X7-Fa. ;l/-^(20)^/l-LTlIIiE'9— ^^(24) 

t-r§Ct{cJ;D. Xr77°S84tlSo IMtlSiAb 
fcS^ta. 18111^-/^(24) a. IfWAO-^-^^"^;!/ 

*ffi(i6)cDiifftii»A©'^-s/'*m«nT (X'T 

77S86) . ^^uy^yhiim^ibm-yV'y-'^'y 

XThimmmffm^-^n^ (xf-7 7s87) o 
[0 0 2 7] ^LT. mnrnmi^mmm^y^yh 

(ll)*^BWLT (Xr77S88) . ^^7F7-i'->X 

(25) t±. m.mmm^L (xr7 7°s89) . wm^t 

-;N(25)*^^©fi^xtJ;i3. DHC P-9--A(23)t±, M 
S*«(16)0 1 P7FbXW^t^ (Xt7:^S9 

0) o 

[0 0 2 8] |j!£oT. *^i]SJg^©^^7 F7-^i^XT 

A(io){i. \ I knmmh^nmi&mWi.7.-( v=f-y 
t\ mwmm mts^^-i-i^ v l a n 

7(40){ci!rltSJ:at^'>£*ti§<. l^oT. ^^7F7 
-^i/XxA(10)±OS*il(16)(16)ifa L(±. SiRfD 

V L A N 7'(40) (40) fcFjrS 1 5 1 1 ^ § 6 . 

iiii*a(i6) (i6)r^o-(?+a «j x^- A-^^±-r §0 
[0 0 2 9] f fc. ^§s*i(i6)A^?.. wm.mm) 
mmt^ V I, A N (4o)(r)^gp{c/^^ 7 F ^mtt^m^ 

icJi. £Nt';l^-^(20)^/t-LTlTt)niio t;^oT. 
^(20)A^ EliE^i--;^(24)©tllfBcj;0IS^g?tlfcI P 
7KbX^'f^1-?.4iW(l(3)A^e>Sfa?n§/^^7 F© 
^f^. VLAN(40)O^^gP(c3Mfi-r§j;5tiSS^tl?. 

ct{c<tf). ?ijffl#A^#^7F7-^'*?yffl-r§{c(i. ig 
fmrn'^m^if^'c^t^^. ^^7 F7-^'±©-tr+ 

[0 0 3 0] f/i. ;P-^'(20)A\ iffi*«(16)(c43(t§ 
I P7FbXi:MAC7FL-X©ffl^-tJ:^!E1tL. ISII 

P^/n7(i2)*^±IHm A c 7-i';u^ 'J ymmMLx\.^ 
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§A^?>. :!^gP^-7 h7-^(15)±*^?,[±. ^'u-Ajll 

tf^mmm^mmmitTt^o dhcp 

•9— /^(23)(i, DHCPS*tJ^LTSJ!3STfcI P7 
KUX%, ARP:^D-K:^^t7.bT'ti^:<. DHCP 
^3l<;&tT*o fcffl*il(16)(DM A C 7 F t 

ffiOii*a(16){C<t§ I P7FbX(D^S;&K±T 

[0 0 3 1] limmBmmma. ^mmmmt^ 
^Ltmmx'h^o &mi. ^^>yF7-^*»awx 

[02] F7-^->XxAt43it;§ii 
[03] *^]!iJglO0e^■9•-/^t^5^^TDHCPS3R = 
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m 4 ] mmBmm-^^-^^ici3\.'xmmMicn 

[05] ^mmMit^-^^i^^i^^-zmi^^'ry f 
©ii€{c?>ri-5ffi«ii{t%s^-r7n-5^^- F -es^o 
[0 6 ] :$immmm^'^~^^t^^^mm^ f 7 
-^:'Jb^601fls/■^'>■7FojISt»•r«MaiI^t*/T^■r 

m 7 ] fcl^TSMO W 

10 Km^mmmi'^^mtyu-^^-hTh^. 

[08] *»miicfc'tt5ig*S©i]f1^^/7^-r7n- 
f-t-FT-S^o 

[09] 08O|it*.1^t7D-5'^-FTfe§o 
[01 0] «0^^'y F7-^>'XrA^^N-r7n-y^7 
0-pSi.o 

[?!F^oiiHj] 

(10) TCP/I P*-y F7-^i^;^TA 

(11) H^ny-trvF 

(12) OT/^7' 
20 (13) cfi^MT" 

(15) ^a?#s-yF7-^ 
(16) 

(20) 

(23) 

(24) Sfi-if-A 

(25) tJOMM-A 

(33) OT/N^OTiJit*- F 

(40) VL AN^^-T' 
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